Date: Mon, 6 Apr 2015 12:29:05 -0400 (EDT)
From: cve-assign@...re.org
To: irl@...e.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Request CVE for LinuxNode - DoS vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> So, the questions are:
>
> 1. Is the above reasonable, i.e., there was (at one time) ...
irl@...e.org sent us a confirmation without a Cc to oss-security.
The CVE mapping is:
> a single
> vulnerability affecting both node and URONode in which a client could
> use "quit" within telnet, and thereby cause the server to waste
> network bandwidth on a radio path
Use CVE-2015-2927. The known affected version of node (aka LinuxNode)
is 0.3.2 (for Debian, the "ax25-node" package name is associated with
the "node" source-package name). Within the URONode changelog, the
relevant entry is apparently "21/05/08 v1.0.5r3 ... I added a
quit_handler routine in the main loop which now will execute a
node_logout(), flush out the IPCs, log the event to syslog, and close
out the application properly."
> app fails to close and more can be spawned by a crafty malicious
> user thus bringing the system to a point of no memory available.
This does not have a CVE ID. The node software was not attempting to
defend against a scenario in which a single client user causes
arbitrarily many node processes to run on the server simultaneously.
The node software runs as a service under inetd (or a similar
program), and any related restrictions would ordinarily be part of the
inetd configuration. Lack of restrictions is a site-specific problem.
("crafty malicious user" means, for example: if a client were allowed
to have 100 simultaneous node processes, the malicious user could
choose a request timing that ensured that 100 processes were always
running.)
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJVIrO0AAoJEKllVAevmvmsbXgIAJQdYhkCyxks3Js0ZhDkYkoJ
3ITLnWgGp92m/hcL92K/oRL3ZvZj2Ik7kwf/7YsllhQBgVjVwoPjr/c7MA40nbgo
1n/NFeFzrS3PM3ZivBk2wt9Gnc7mLG59P3Z9cR9oAGqhXqKOEodlRSaE1q8fHMFG
qm5Sj9AgHqhc4MDCIo+y/R/pSL0Ayiqzr3J8U9B+R+ls6JsY0co45r9OTtCShl+i
jazf4xFwNpkYo7VEx4zIIVd2DBUQm3XSqZT5kVdRp3pSf8MkM34E92POlptwKjNJ
PiXKMazkLspMwLs9j1WywFuub+XdrFWCWxXl9b83LqoTWcMGU7k3OcUZUqRNrFc=
=Jv34
-----END PGP SIGNATURE-----